Anatomy of the Deception
Security researchers have uncovered a sophisticated supply chain attack targeting Go developers through a typosquatted module. The malicious package, hosted on GitHub under the path github.com/shopsprint/decimal, deliberately mimics the popular shopspring/decimal library by changing just one letter. The fake package went live in 2017 but remained dormant until August 2023, when the attackers activated a hidden backdoor that communicates over DNS records.
The compromised library is particularly dangerous because it mirrors the legitimate package so precisely. Developers working on financial software, billing systems, cryptocurrency platforms, and analytics tools frequently use the real decimal library for precise arithmetic. Any project importing the fake version will compile and run without errors or suspicious output, making detection extremely difficult.
Persistence and Impact
The weaponized version, published in August 2023, was released only minutes after a clean update to create the appearance of routine maintenance. Earlier versions were entirely harmless, a deliberate trust building strategy. Even after the original GitHub account was deleted, the threat persists because Go’s module proxy permanently caches all published versions.
Researchers at Socket.dev identified the rogue module and traced its activation to the exact moment of weaponization. The backdoor beacon fires every five minutes with no visible process activity, potentially remaining undetected for weeks or months. This attack underscores the ongoing risk in software supply chains, where a single character difference can compromise countless development environments.
Source: Cyber Security News
